Misc

Aye! Right!

I just got this email purporting to be from PayPal. I don’t believe the email.

Dear valued PayPal member:

It has come to our attention that your PayPal account information needs to be
updated as part of our continuing commitment to protect your account and to reduce
the instance of fraud on our website.  If you could please take 5-10 minutes out
of your online experience and update your personal records you will not run into
any future problems with the online service.


However, failure to update your records will result in account suspension.
Please update your records on or before July 06, 2007.

Once you have updated your account records, your PayPal session will not be
interrupted and will continue as normal.

To update your PayPal records click on the following link:
http://72.189.180.57/updateusersonlinesecurity.html



Thank You.
PayPal UPDATE TEAM

What makes me think it is a fake? The URL does not contain PayPal’s domain name. It is a simple IP address.

So, who owns the IP Address?

OrgName:    Road Runner HoldCo LLC
OrgID:      RRSW
Address:    13241 Woodland Park Road
City:       HerndonState
Prov:       VA
PostalCode: 20171
Country:    US

And what about the real PayPal. Their IP Address is 216.113.188.64.

Also, the email didn’t have my address in the “TO” box (So I’m guessing all the recipients were BCC’d into the list) and the reply address is no-reply@google.com.

I have sent an appropriate email to Road Runner letting them know that someone is using their servers to host phishing sites. Hopefully it can be taken down promptly to prevent any less savvy people falling victim to this really quite amaturish attempt at a phishing scam.

Tags:

3 thoughts on “Aye! Right!

  1. I believe RoadRunner are an ISP. That’s probably a DSL customer. Whether the customer are themselves committing the scam, or they’re a zombie, I don’t know. I wouldn’t be too surprised if infected machines weren’t merely used to send the scam emails but also to collect the results. Fewer links back to the perpetrator.

  2. This very IP is also the one hacking (or attempting to hack) into SQL servers. It is a computer that is running a program trying out all possible login names, and of course with each login name, various passwords. If you are running SQL server, ensure that you check your Event Viewer, and the chances are that you will find the IP listed (don’t forget to deny access for it)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s